Vulnerable Openssl version remains & got activated after update
Grierson, David
David.Grierson at bskyb.com
Fri Jun 13 13:03:41 UTC 2014
You only appear to have upgraded the x86_64 RPMs for the new version - maybe you've still got the i686 version of the RPM's installed as well?
For example on my internal RHEL5 system:
$ rpm -q --qf "%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}\n" openssl
openssl-0.9.8e.22.el5_8.3.x86_64
openssl-0.9.8e.22.el5_8.3.i686
Dg.
--
David Grierson - SDLC Tools Specialist
Sky Broadcasting - Customer Business Systems - SDLC Tools
Email: David.Grierson at bskyb.com
Watermark Building, Alba Campus, Livingston, EH54 7HH
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Sunhux G
> Sent: 13 June 2014 13:49
> To: General Red Hat Linux discussion list
> Subject: Vulnerable Openssl version remains & got activated after update
>
> Hello
>
> I'm sure my rpms are not corrupted (MD5 checksummed)
> as I got them from RHN:
> 1,525,631bytes openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> 1,952,684bytes openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
>
> Faced an issue after updating above Openssl & its devel rpm:
> the updated version of Openssl "adds on" instead of replacing the
> current
> old version & the RHN's perl script still report it as vulnerable. Any
> concern
> if I forcefully delete (ie "rpm -e --nodeps") the vulnerable Openssl rpm
> openssl-0.9.8e-22.el5 ?
>
> What to do next to address this vulnerable Openssl?
>
>
> # ls *cg*
> opswgw-cgws1-RCLOUDMMM
> # ./opswgw-cgws1-RCLOUDMMM stop # <==this service uses OpenSSL Stopping
> opswgw: .
>
> # rpm -qa |grep ssl # verify the current old version
> openssl-0.9.8e-22.el5
> openssl-devel-0.9.8e-22.el5
> openssl-devel-0.9.8e-22.el5
> OPSWopenssl-0.9.8g-1
> docbook-style-dsssl-1.79-4.1
>
> # rpm -Uvh ./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> ./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
> Preparing... ###########################################
> [100%]
> file /etc/pki/tls/certs/ca-bundle.crt from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686
> file /usr/share/man/man1/ca.1ssl.gz from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686
> file /usr/share/man/man1/req.1ssl.gz from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686
> file /usr/share/man/man1/x509.1ssl.gz from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686 # # rpm -Uvh
> ./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> ./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm --replacefiles
> Preparing... ###########################################
> [100%]
> 1:openssl ########################################### [
> 50%]
> 2:openssl-devel ###########################################
> [100%]
>
>
> # rpm -qa |grep -i ssl
> openssl-0.9.8e-27.el5_10.3 # <== new version created
> openssl-0.9.8e-22.el5 # <== old version still there
> OPSWopenssl-0.9.8g-1
> openssl-devel-0.9.8e-27.el5_10.3 #<== this devel rpm got updated ok
> docbook-style-dsssl-1.79-4.1
> pyOpenSSL-0.6-2.el5
>
> # rpm -e openssl-0.9.8e-22.el5
> error: Failed dependencies:
> libcrypto.so.6 is needed by (installed)
> nspluginwrapper-1.3.0-9.el5.i386
> libcrypto.so.6 is needed by (installed) neon-0.25.5-
> 10.el5_4.1.i386
> libcrypto.so.6 is needed by (installed) pam_ccreds-3-5.i386
> . . . & many other dependencies . . .
>
> # ./opswgw-cgws1-RCLOUDMMM start
> Starting opswgw: [ OK ]
> tcp 0 0 0.0.0.0:443 0.0.0.0:*
> LISTEN 14914/[opswgw-gatew off (0.00/0/0)
> # ps -ef |grep 14914
> opswgw 14914 14913 0 10:27 ? 00:00:00
> [opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
> /etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
> /opt/opsware/opswgw/bin/opswgw --Child true
>
> ./opswgw-cgws1-RCLOUDMMM start
> Starting opswgw: [ OK ]
> # netstat -anop |grep ":443 " |grep -i listen
> tcp 0 0 0.0.0.0:443 0.0.0.0:*
> LISTEN 14914/[opswgw-gatew off (0.00/0/0)
>
> # ps -ef |grep 14914
> opswgw 14914 14913 0 10:27 ? 00:00:00
> [opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
> /etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
> /opt/opsware/opswgw/bin/opswgw --Child true
> root 14992 7088 0 10:28 pts/1 00:00:00 grep 14914
> #
> # ./opswgw-cgws1-RCLOUDMMM start
> # cd /root
> # ./ fake-client-early-ccs.pl localhost 443 Got server response, size:
> 2953
> - Handshake - Server Hello
> - Handshake - Certificate
> - Handshake - Server Key Exhange
> - Handshake - Server Hello Done
> FAIL Remote host is affected
>
> # openssl version
> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> [root at MPLSADB02 ~]# rpm -qa |grep -i fips
> fipscheck-1.2.0-1.el5
>
>
> SH
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
More information about the redhat-list
mailing list